Identity Management

Internet2 Fall Meeting

Jack Suess, CIO, UMBChttp://userpages.umbc.edu/~jack/talks/idman.htm

2

Identity Management Definition

What do we mean by Identity Management?• CSU definition - An identity management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.

3

Let’s Analyze the Definition

Infrastructure - software and hardware

Collection - not just technology

Technology and policy - Policy is as important as technology

Networked computer systems - implies distributed technology and communication over the network

Access - Who am I

Authorized - What can I do

Protecting - limiting access and protecting information

4

Infrastructure for Identity

ManagementCommon elements• System of record (SOR) - system for identifying

university membership (e.g. SIS, HR, Alumni)• Registry - aggregation point where key data elements

from SOR are integrated• Directory - LDAP service that organizes registry

information and responds to requests• Authenticator - service that authenticates (e.g.

Kerberos)• WebISO - web-based authentication• Groups - university roles• Services - application services that utilize IdM• Policy - definitions and structure

5

UMBC Directory Architecture

Public LDAP(Whitepages)

(SunOne DS5)

Oracle DB

LDAPDirectory

(iPlanet 4.1x)

AuthenticationService(MIT K5)

MetadirectoryProcesses

(perl)SIS

(HP MPE)

HRSystem

User Input DirectoryManagmentApplications

Replica Replica

SISMirror

OutgoingConnectors

(perl)

To Consumers

Radius,WebAuth,PeopleSoft,etc.

UNIX Systems,Win2K Labs,AFS

Email Clients

Email Routing

6

Authentication API University Addressbook

OnCourseActive

DirectorySteel Web PgsPplSft Insite

Shakes/Jewels

----------------- Applications and Services ------------------

Modems

Foundation

Other University AffiliationsContinuing

StudiesOthers

University People Information

Eclipse

Alumni

MY IU UIS Appl

Virtual Private Network (VPN)

ERAFIS

DemographicData

HR Data Others

Library Others

Person

al Accou

nt C

reation &

Ad

min

istration (S

elf Service)

Authorization APIInformation Extract

(LDAP)

Extract/Load Process Extract/Load Process GDS

EnterpriseDirectory/

InformationStore

PIN

TokenPassword

Authentication

SIDEMPID

ISN

MATHMajor

C201

UITS

IUK

IU.EDUE-mailNameSpace

GradesClerk

AcctManager

HRRep

Advisor

KerberosSafeword

AS Server

Core Services

Authorization& Roles DB

Other DirectoriesADS, Departmental

Accou

nts S

taffL

ocal/ Cam

pu

s Su

pp

ort P

roviders

Accou

nt/In

formation

Mgt &

Main

t

7

Technology and Policy

Policy Issues• Rules for membership in your community. Who is an active student, who is a faculty member, who is an alumni?

• Who is eligible for an account? Under what circumstances?

• What services are they allowed to access?• Who can sponsor affiliate members?• How long do you remain a member of the community?

• What about guests or the public?

8

Authentication and Authorization

Authentication - Who am I?

• Shared secret -- password?• Secret key - PKI• Biometrics/other?

Authorization - What am I allowed to do or access?

• Affinity groups are defined and populated. Roles are based on a combination of affinities.

Identity Management system must answer both questions.

9

Security and Availability

An Identity Management (IdM) system is a the heart of defining who may have accounts on different systems

The IdM is exposed to the Internet and must be hardened and protected as a critical IT resource

Key Issues:• Failover• Capacity to meet peak loads• Capacity to meet critical service needs

Replication and distribution are key

10

Beginning an Identity Management

ProjectExecutive sponsorship is critical. Develop a business case for the project and treat it like any other development project

The project will have tremendous implications inside IT on how you provide services, make certain you get everyone on board.

The project requires access to data. Get agreements in place from data stewards before beginning project.

Don’t scrimp on hardware, focus on 99.999 uptime

11

Questions to Answer

What follows are some questions you want to have answered prior to starting your Identity Management project

12

How do you define who is eligible

for different services?• Obvious: staff, faculty, students

• Less obvious: –Alumni, supporters?–Parents –Sponsored or affiliate ID’s–Transient e.g. meetings and conferences–Former employees–Research partners–Affiliates: auxiliaries, credit union, teachers

13

Eligibility -- Thorny Issues

• Intermittent roles – persistent ID’s?–Lecturers, seasonal employees–students

• Multiple roles – change roles, keep ID’s?–Student workers–Staff students

• Multi-campus issues- common id across system?

• Does everyone need to be in your IDM? “Frontier-class” service

14

Eligibility -- Create Policy First

Indiana

•Policy defines who can have and sponsor accounts.

•Accounts Management System will implement policy in software.

15

What were the challenges in creating

a single namespace?Once you define who is eligible to be in your IM you must create a person registry from multipe SOR.

For each person in the registry you must define an account name. Dealing with conflicts is a political challenge.

Get agreement on ground rules prior to starting the project.

Provide flexibility. People care more about their email address than they do their username!

When creating new authentication service, require strong passwords!

16

Indiana University Name Space

•Had to work across 8 campuses plus 4 major data centers

•Ground work in 1988 with "username format summit"*Namespace consolidation project began "in earnest" in 1997

•Required high-level leverage (University CIO)

•Consisted of iterative generation and review of name lists of various naming organizations

•Person who had name first got to keep it

•Took 3 years to complete

17

•Namespace

•Person who had an identifier the longest got to keep it

•Took over 3 years to complete

•In 2002, moved namespace to enterprise LDAP directory

•UMBC created common namespace in 1995 when we merged academic and administrative computing

•In 2002 we allowed users to select account name and promote that they create custom email aliases (up to 3). Giving custom email aliases lessens namespace complaints

18

Distribution of Credentials

•Identity Management usually necessitates automated distribution of credentials

•Credentials are managed through an account management system

•Faculty/staff/students initiate account process online.

•Account holders (faculty/staff) may be authorized to sponsor affiliates. Affiliate accounts are linked to the sponsor.

19

Will authentication strength vary by

application type?•Consider providing alternative authentication methods and allow services to specify level of authentication and timeout period

•We use two levels and we are looking at a third level { id : pin ; username:password }

•We would like a third level that we use in addition to username:password

•WebISO defines password level, timeout duration, attributes released, etc.

20

How do you handle authorization to

services?Problem: our legacy services assumed that authentication implies authorization.

Remedy: Use IdM to define affiliations and control access by group membership

Strategy: Create 15-20 automatically maintained major affiliation types (example: faculty, staff, student, affiliate and several gradations of each) to define roles

Challenge: It isn’t easy to keep this maintained and not all services can use groups

21

How do you insure privacy and

accountability?•Rapidly evolving area -- GLB,HIPAA, CA SB-1386, etc.

•Directory services allows services to be delegated more broadly -- make sure staff that get access are trained in privacy regulations

•Review logging procedures and log retention

•Limit who has direct access to the directory and who can update the directory

•IdM can serve role as translator and lessen use of private data such as SSN

•One consequence of directories is that it can facilitate spamming, limit trolling

22

Revocation of Credentials?

•Worked with IT Steering Committee and faculty senate 18 months on account deletion plans.

•Developed state diagram, accounts transition through these states. Time in each state is determined by UMBCperson affiliation

•Requires ability to delegate authority on accounts to sponsoring entity. They can sponsor anyone but take responsibility for those they sponsor.

•Runs nightly based on last effective date

•Highly political - everyone wants free access

23

Account State Diagram

24

Revocation (cont)

25

Future Plans

•Expanding person affinities and defining the group membership criteria

•Implement Shibboleth with our Web-ISO

•Implement user-selectable privacy filters for user controlled release of information

•Expand the API for our using our WebISO

26

Questions

Jack Suess - jack@umbc.edu

Online Slideshttp://userpages.umbc.edu/~jack/talks/idman.htm

Resources:

http://middleware.internet2.edu/

http://www.nmi-edit.org/